OpenSMTPD 7.8.0p0 released
Contributed by grey on from the Simple Mail Transfer Pumpkins? dept.
LibreSSL 4.1.2 and 4.2.1 released
Contributed by grey on from the anagram release version numbers dept.
Brent Cook has announced that LibreSSL 4.1.2 and 4.2.1 have been released.
The release notes read:
Enable BPF filtering on sockets
Contributed by Peter N. M. Hansteen on from the BPF my daemons, Puffy! dept.
Would it be useful for our system security to let daemons use the
bpf(4)
interface to filter on the sockets they handle?
In a recent
message
to tech@ titled
bpf filtering on arbitrary sockets,
Damien Miller (djm@) presents a preliminary patch and explains,
List: openbsd-tech Subject: bpf filtering on arbitrary sockets From: Damien Miller <djm () mindrot ! org> Date: 2025-10-30 5:03:00 Hi, This is an idea that came up while talking with dlg@ about network daemons. Quite a few programs and daemons use SOCK_RAW to send link-level packets after pledge(). E.g. usr.sbin/relayd/check_icmp.c wants to send ICMP packets. The problem with this is that, if they get compromised, they still hold a very powerful socket that can send pretty much arbitrary packets. If one of these programs gets compromised then the attacker can pretty easily pivot through the existing raw socket.
Making the veb(4) virtual Ethernet bridge VLAN aware
Contributed by Peter N. M. Hansteen on from the virtually bridging the LANs, really dept.
As some readers tell us whenever they have the chance, the
veb(4) virtual Ethernet bridge device is an OpenBSD feature that can make certain setups a lot more manageable than otherwise possible.
Now David Gwynne (dlg@) is fielding a patch on tech@ that would make veb(4) even more capable, by making the device vlan(4) aware.
In the message to tech@, David explains:
List: openbsd-tech Subject: make veb(4) VLAN aware From: David Gwynne <david () gwynne ! id ! au> Date: 2025-10-29 5:54:42 veb(4) is currently vlan unaware, meaning that it assumes that there's a single "namespace" for the mac addresses used by packets handled by the bridge. by default it blocks vlan (and svlan) packets, but if you allow it carry vlan packets it ignores the vlan tag when doing themacaddress lookups. addingvlanawareness means that everymacaddress the bridge learns is now associated with a vlan identifier (vid). ie, the same mac in two different vlans will get separate entries in the forwarding database.
OpenBSD 7.8 Released
Contributed by rueda on from the noble-puffy-prize dept.
The OpenBSD project has announced OpenBSD 7.8, its 59th release.
The new release contains a number of significant improvements, including but certainly not limited to:
- Preliminary support for Raspberry Pi 5 added [See earlier report]
- New profiling subsystem [See earlier report]
- TCP input now runs in parallel [See earlier report]
- Parallel TCP input has been optimised [See earlier report]
vmm(4)/vmd(8)now support SEV-ES on AMD processorsvmd(8)send/receive functionality was removed [See commit]watch(1)utility added [See earlier report]- New
acpiwmi(4)driver for ACPI Windows Management Instrumentation (WMI) [See earlier report] - New EFI
boot(8)"machine fwsetup" command for rebooting into the firmware user interface - The installer now prefers disks over 1GB [See earlier report]
rc.d(8)andrcctl(8)gained "-q" options [See commits]- Font caching no longer runs as root [See earlier report]
- New
erspan(4)driver for ERSPAN Type II collection [See earlier report] - LLDP daemon and tool have been added [See earlier report]
bpflogd(8)has been added [See earlier report]pkg_add -uno longer advises file removal [See earlier report]- Yubikey OTP support disabled [See earlier report]
acme-client(1)now supports draft-ietf-acme-profiles-00 specifications for certificate profiles, such as those offered by Let's Encrypt - seeacme-client.conf(5)"profile" keywordTearFreeoption backported tomodesetting(4)driver [See earlier report]libpnghas been bundled intolibfreetypefor improved font rendering [See commits]stdio(3)'sFILEis now opaque [See earlier report]clang(1)/llvm/lld(1)updated to version 19 [See earlier report]- C++ library updated [See earlier report]
- OpenSMTPD 7.7.0p0 [See earlier report]
- LibreSSL 4.2.0[See earlier report]
- OpenSSH 10.2 [See earlier reports on releases of versions 10.2 & 10.1]:
ssh-agent(1)andsshd(8)listener sockets moved from/tmpto under~/.ssh/agent[See earlier report]- DSA signature support removed [See earlier report]
- New
ssh(1)configuration directive,RefuseConnection[See earlier report] - It is now possible to use Ed25519 keys hosted on PKCS#11 tokens [See earlier report]
ssh(1)now issues a warning when the connection negotiates a non-post-quantum key agreement algorithm- OpenSSH will now adapt IP QoS to actual sessions and traffic [See earlier report]
See the full changelog for more details of the changes made over this latest six month development cycle.
The
Installation Guide
details how to get the system up and running with a fresh install,
while those who already run earlier releases should follow the
Upgrade Guide,
in most cases using
sysupgrade(8).
Readers are encouraged to celebrate the new release by donating to the project to support further development of our favourite OS!
In -current, chromium (and derivatives) now have VA-API support
-current, chromium (and derivatives) now have VA-API supportContributed by rueda on from the smooth-and-cool dept.
Following
a discussion
on ports@,
Robert Nagy (robert@)
committed VA-API
[hardware-assisted video
- see previous report]
support to the
chromium,
iridium,
and ungoogled-chromium
ports.
Note that:
- Updated (binary) packages for
amd64are just starting to become available. - Intel GPUs requires ports
graphics/intel-media-driver[and/]orgraphics/intel-vaapi-driver. Firefox already has VA-API support.
Update:
Now disabled again.
Plus, we were wrong about Firefox. Thanks for the comments!
WPA3 support for OpenBSD 802.11 wireless funded by NLNet Foundation
Contributed by Peter N. M. Hansteen on from the WiFi all chirpy dept.
The project to implement
WPA3 support for OpenBSD 802.11 wireless
has now been funded by a grant from the NLNet Foundation.
The work is to be carried out by Stefan Sperling (stsp@) and Chirpy Software.
The announcement states,
This project delivers the second open-source implementation of WPA3, the current industry standard for Wi-Fi encryption, specifically for the OpenBSD operating system. Its code can also be integrated by other operating systems to enable modern Wi-Fi encryption, thereby enhancing the diversity and resilience of the global IT ecosystem.
The project has an October 2025 start date, which likely means that work to implement even better Wi-Fi support in our favorite operating system is already under way. Read more from the announcement at the NLNet Foundation website.
We look forward to seeing the tangible results in future commits!
LibreSSL 4.2.0 Released
Contributed by Peter N. M. Hansteen on from the TLS SSLithers out dept.
The LibreSSL project has announced their latest release LibreSSL 4.2.0, with numerous improvements. The release announcement reads,
List: openbsd-announce Subject: LibreSSL 4.2.0 Released From: Brent Cook <busterb () gmail ! com> Date: 2025-10-14 14:19:28 We have released LibreSSL 4.2.0, which will be arriving in the LibreSSL directory of your local OpenBSD mirror soon. This is the first stable release for the 4.2.x branch, also to be available with OpenBSD 7.8 It includes the following changes from LibreSSL 4.1.0:
OpenSSH 10.2 released
Contributed by Peter N. M. Hansteen on from the SSH! A more perfect 10 dept.
Cranking up the heat for the upcoming OpenBSD 7.8 release, the OpenSSH project has issued OpenSSH 10.2.
This is a bugfix release that supersedes the previously announced OpenSSH 10.1 in time for the general release.
From the release notes:
Changes since OpenSSH 10.1 ========================== This is a bugfix release, primarily to fix a problem that rendered ssh(1) unusable when ControlPersist was enabled.
